portforward only key based chroot ssh access without a shell for the user under 64 Bit 
Wednesday, October 3, 2018, 08:37 - System, Debian/Ubuntu, Security
Posted by Administrator
/etc/ssh/sshd_config:
...
Match user USER
  PasswordAuthentication no
  AllowTcpForwarding yes
  X11Forwarding no
  PermitTunnel no
  GatewayPorts no
  AllowAgentForwarding no
  ChrootDirectory /home/USER

But if the client needs a login shell this failed.

Well you could tell the client to not use a login shell:

ssh -N -L2222:IP:22 USER@SERVER

putty: SSH / Protocol Option enable "Don't start a shell or command at all"

or use an own loginshell where the user only can press return to disconnect:

sudo useradd USER -d /home/USER -s /bin/bash
sudo mkdir /home/USER
sudo chown USER:USER /home/USER
sudo su USER
cd
touch .hushlogin    (is used to not display motd's)
mkdir .ssh
chmod 0700 .ssh 
cd .ssh 
ssh-keygen -t rsa -b 4096 
mv id_rsa.pub authorized_keys
exit
sudo passwd -d USER
sudo chown root:root /home/USER          (for sshd chroot)
sudo cp own_loginshell /home/USER/

move /home/USER/.ssh/id_rsa out to your test account and test with "ssh -i id_rsa USER@IP"

I had some troubles with a chrooted environment:


/etc/passwd USER:x:ID:ID::/home/USER:/own_loginshell

.hushlogin is NOT working and motd with last login is shown!
pam.d/sshd is running all scripts in /etc/update-motd.d.

Solution move .hushlogin to /home/USER/home/USER

To hide motd and have no delays at login we could add an exception in pam.d/sshd for our user USER

session [default=2 success=ignore] pam_succeed_if.so quiet user != USER

before

session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

/etc/passwd USER:x:ID:ID::/:/own_loginshell

.hushlogin is working but before sshd is doing a chroot it checks the key against
authorized_keys based on our homedir (is / for chroot) wee need to

add "AuthorizedKeysFile /home/USER/.ssh/authorized_keys" to sshd_config

Compiling


For 64Bit there is something different to 32Bit and with my studies i compiled with

gcc -s -Os -nostdlib -ffreestanding own_loginshell.c -o own_loginshell

#> chroot /ROOTDIR ./own_loginshell
chroot: failed to run command ‘./own_loginshell’: No such file or directory

With

#> strace chroot /ROOTDIR ./own_loginshell

you only see

execve("./own_loginshell", ["./own_loginshell"], 0x7fff17d94fe8 /* 24 vars */) = -1 ENOENT (No such file or directory)

But with the help of "readelf -l own_loginshell" you see

[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]

You have to copy /lib64/ld-linux-x86-64.so.2 to CHROOT/lib64/

Or compile with "-static"

own_loginshell.c:
/*
   simple program to print to stdout and read from stdin without libc for x86-64

   taken from https://hero.handmade.network/forums/code-discussion/t/861-compiling_without_libc_on_linux

   gcc -s -Os -nostdlib -ffreestanding -static own_loginshell.c -o own_loginshell
*/

#include <stddef.h>
#include <syscall.h>

static void exit(int code)
{
    __asm__ __volatile__(
        "syscall"
        :
        : "a"(__NR_exit)
        : "cc", "rcx", "r11", "memory");
    __builtin_unreachable(); // syscall above never returns
}

// returns negative value for error (for example, if error is EINVAL, then -EINVAL is returned)
static int write(int fd, const void *buf, size_t size)
{
    long result;
    __asm__ __volatile__(
        "syscall"
        : "=a"(result)
        : "0"(__NR_write), "D"(fd), "S"(buf), "d"(size)
        : "cc", "rcx", "r11", "memory");
    return result;
}

static int read(int fd, char *buf, size_t size)
{
    long result;
    __asm__ __volatile__(
        "syscall"
        : "=a"(result)
        : "0"(__NR_read), "D"(fd), "S"(buf), "d"(size)
        : "cc", "rcx", "r11", "memory");
    return result;
}
    
void _start()
{   
    char text[] = "press enter to close connection";

    // for this example let's ignore result of write
    // but you should really handle it
    // 1 is stdout file handle
    write(1, text, sizeof(text) - 1);
    read(0, text, 1);
    
    exit(0);
}


[ view entry ] ( 2086 views )   |  print article
ssh otp 
Friday, September 29, 2017, 16:45 - System, Network, Debian/Ubuntu, Security, Android
Posted by Administrator
Install oathtool.
sudo apt-get install oathtool libpam-oath

Generate a secret.
export HEX_SECRET=$(head -10 /dev/urandom | md5sum | cut -b 1-30)

Generate the TOTP details, 6 digits long.
oathtool --verbose --totp $HEX_SECRET

Enter the base32 secret in Android FreeOTP.

Create and populate the /etc/security/users.oath file.
sudo bash -c "echo HOTP/T30 $USER - $HEX_SECRET >> /etc/security/users.oath"
sudo chmod 0600 /etc/security/users.oath

Forget the secret!
unset HEX_SECRET

prefix /etc/pam.d/sshd with
auth sufficient pam_oath.so usersfile=/etc/security/users.oath window=10 digits=6

Allow this in sshd and restart.
sudo sed -Ei -e 's/(ChallengeResponseAuthentication) no/\1 yes/' /etc/ssh/sshd_config
sudo service ssh restart

Test with
ssh localhost

You should see:
One-time password (OATH) for `USER':

To avoid otp for some users prefix /etc/pam.d/sshd with
auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2


[ view entry ] ( 2052 views )   |  print article
convert to mp4 
Tuesday, November 15, 2016, 13:59 - Debian/Ubuntu, Android
Posted by Administrator
ffmpeg -i input.mp4 -pix_fmt yuv420p -vcodec libx264 -acodec aac output.mp4


[ view entry ] ( 1499 views )   |  print article
mtp mount Galaxy S3 with jmtpfs or simple-mtpfs 
Monday, May 19, 2014, 10:03 - System, Debian/Ubuntu, Android
Posted by Administrator
kio-mtp and mtp-detect stopped working :-(

But jmtpfs seams to work - i decided to mount on usb plug in with an udev rule
#> apt-get install jmtpfs
#> mkdir -p /media/mtp
/etc/udev/rules.d/99-jmtpfs.rules
ACTION=="add", ENV{ID_MTP_DEVICE}=="1", RUN="/usr/bin/jmtpfs -o allow_other /media/mtp"
ACTION=="remove", ENV{ID_MTP_DEVICE}=="1", RUN="/bin/fusermount -u /media/mtp""


A little bit faster is simple-mtpfs, but you have to compile

apt-get install libusb-dev libmtp-dev

git clone https://github.com/phatina/simple-mtpfs.git
cd imple-mtpfs
./autogen.sh
mkdir build && cd build
../configure --prefix=/usr
make
sudo make install

/etc/udev/rules.d/99-simple-mtpfs.rules
ACTION=="add",ENV{ID_MTP_DEVICE}=="1",RUN="/usr/bin/simple-mtpfs -o allow_other /media/mtp"
ACTION=="remove", ENV{ID_MTP_DEVICE}=="1", RUN="/bin/fusermount -u /media/mtp""



[ view entry ] ( 4959 views )   |  print article
sound conversion 
Tuesday, April 1, 2014, 09:05 - Debian/Ubuntu
Posted by Administrator

decode to wav


avconv -i input.m4a output.wav
for f in *.m4a; do avconv -i "$f" "${f/%m4a/wav}"; done
faad -o output.wav input.aac
sox -t raw -r 8000 -A -b 8 -c 1 file.alaw file.wav
sox -t raw -r 8000 -U -b 8 -c 1 file.mulaw test.wav

decode from wav


sox file.wav -t raw -r 8000 -c 1 -b 8 -U file.mulaw
sox file.wav -t raw -r 8000 -c 1 -b 8 -A file.alaw

cut


sox test.wav 60secs.wav --show-progress trim 0 01:00


[ view entry ] ( 1918 views )   |  print article

<<First <Back | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next> Last>>